Skip to content

Upgrade curl to 8.21.0#18023

Draft
VijayenderReddyPutta wants to merge 1 commit into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_curl-8.21.0-3.0
Draft

Upgrade curl to 8.21.0#18023
VijayenderReddyPutta wants to merge 1 commit into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_curl-8.21.0-3.0

Conversation

@VijayenderReddyPutta

@VijayenderReddyPutta VijayenderReddyPutta commented Jul 15, 2026

Copy link
Copy Markdown
Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary
What does the PR accomplish, why was it needed?

This PR upgrades curl from 8.11.1 to 8.21.0.

The current package carries downstream backport patches for the CVEs listed below. These patches are removed in this PR because the fixes are already included in upstream curl releases through 8.21.0.

Removed downstream CVE patches now covered upstream

These CVEs were validated against curl’s official affected/fixed version matrix and security advisories. Because this package is being upgraded to 8.21.0, the downstream backport patches are no longer required.

For reference:

Note: this section documents the downstream CVE patches removed by this PR. Upstream curl 8.21.0 also includes additional security fixes that were not previously carried as downstream patches in this package.

Compatibility / Breaking-Change Notes (Azure Linux)
Upgrades curl from 8.11.1 to 8.21.0.
Removes downstream Azure Linux backport patches because the included CVE fixes are now present upstream in curl 8.21.0.

Auth API change:
CURLAUTH_DIGEST_IE is no longer supported in 8.21.0.
Use CURLAUTH_DIGEST instead.

Protocol/feature changes in upgrade path:
RTMP removed.
SMB support is opt-in.
NTLM disabled by default in newer upstream builds.
Verify required protocols/features with curl --version.

TLS/dependency expectations:
Upstream tightened several dependency/version constraints across the included versions.
Validate runtime/build compatibility on pinned environments.

HTTP/2 behavior:
HTTP/2 stream dependency controls are deprecated/no-op in 8.21.0.
Validate latency/perf-sensitive HTTP/2 workloads.

Compatibility note: upstream curl 8.21.0 deprecates CURLOPT_STREAM_DEPENDS and CURLOPT_STREAM_DEPENDS_E; these options are retained for backward compatibility but no longer have any effect.
No Azure Linux packaging-level breaking changes were identified in this PR beyond the upstream curl behavior changes included in the version upgrade.
Consumers that depend on exact upstream curl 8.11.1 behavior should validate workloads against 8.21.0, especially if they use advanced HTTP/2 stream-priority/dependency APIs, connection reuse behavior, proxy authentication flows, STARTTLS, mTLS, or redirect credential handling.

Verdict: Safe to merge. No breaking changes upstream (8.11.1 → 8.21.0) affect this package's build configuration or default protocol/auth surface.

Reviewed breaking changes and their impact on this build (--with-ssl --with-gssapi --with-libssh2 --with-nghttp2 --enable-threaded-resolver):

<style> </style>
Change Impact here
Secure Transport / BearSSL TLS backends removed None — this build uses OpenSSL
OpenSSL minimum raised to 3.0.0 None — Azure Linux already ships OpenSSL 3.x
NTLM disabled by default No impact unless a consumer explicitly relies on NTLM auth
SMB support made opt-in None — SMB was never enabled in this spec
RTMP support dropped None — RTMP was never enabled in this spec
c-ares minimum raised to 1.16.0 None — this build uses the threaded resolver, not c-ares
CURLAUTH_DIGEST_IE legacy behavior removed Negligible — pre-2006 IE Digest quirk, not used in practice

Recommendation: No action required for this build. Only downstream consumers that explicitly use NTLM authentication should verify their integration continues to work as expected post-upgrade.

Change Log
SPECS/curl/curl.spec — bump to 8.21.0, drop 21 obsolete CVE patches, %changelog
SPECS/curl/curl.signatures.json — new source hash (d9b32799...7f99135e33bb)
SPECS/curl/CVE-2025-0167.patch — removed (fixed upstream in 8.12.0)
SPECS/curl/CVE-2026-1965.patch — removed (fixed upstream in 8.19.0)
SPECS/curl/CVE-2026-6253.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2025-0665.patch — removed (fixed upstream in 8.12.0)
SPECS/curl/CVE-2026-3783.patch — removed (fixed upstream in 8.19.0)
SPECS/curl/CVE-2025-0725.patch — removed (fixed upstream in 8.12.0)
SPECS/curl/CVE-2026-3784.patch — removed (fixed upstream in 8.19.0)
SPECS/curl/CVE-2026-6429.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2025-10148.patch — removed (fixed upstream in 8.16.0)
SPECS/curl/CVE-2026-4873.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2026-7168.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2025-14017.patch — removed (fixed upstream in 8.18.0)
SPECS/curl/CVE-2026-5545.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2026-6276.patch — removed (fixed upstream in 8.20.0)
SPECS/curl/CVE-2026-12064.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8926.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8927.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8932.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8458.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-10536.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-8286.patch — removed (fixed upstream in 8.21.0)
SPECS/curl/CVE-2026-9079.patch — removed (fixed upstream in 8.21.0)
cgmanifest.json — curl 8.11.1 -> 8.21.0

Does this affect the toolchain?
NO

Associated issues
#xxxx
Links to CVEs
https://nvd.nist.gov/vuln/detail/CVE-2025-0665 — already fixed in 8.12.0
https://nvd.nist.gov/vuln/detail/CVE-2025-0167 — already fixed in 8.12.0
https://nvd.nist.gov/vuln/detail/CVE-2025-0725 — already fixed in 8.12.0
https://nvd.nist.gov/vuln/detail/CVE-2025-10148 — already fixed in 8.16.0
https://nvd.nist.gov/vuln/detail/CVE-2025-14017 — already fixed in 8.18.0
https://nvd.nist.gov/vuln/detail/CVE-2026-1965 — already fixed in 8.19.0
https://nvd.nist.gov/vuln/detail/CVE-2026-3783 — already fixed in 8.19.0
https://nvd.nist.gov/vuln/detail/CVE-2026-3784 — already fixed in 8.19.0
https://nvd.nist.gov/vuln/detail/CVE-2026-4873 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-6276 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-7168 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-5545 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-6253 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-6429 — already fixed in 8.20.0
https://nvd.nist.gov/vuln/detail/CVE-2026-12064 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8926 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8927 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8932 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8458 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-10536 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-8286 — already fixed in 8.21.0
https://nvd.nist.gov/vuln/detail/CVE-2026-9079 — already fixed in 8.21.0

Test Methodology
Local Build.
image

Buddy Build URL -

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Jul 15, 2026
@VijayenderReddyPutta VijayenderReddyPutta changed the title Upgrade curl to 8.21.0 for multiple CVEs Upgrade curl to 8.21.0 for CVEs: CVE-2026-12064, CVE-2026-8286, CVE-2026-8458, CVE-2026-8926, CVE-2026-8927, CVE-2026-8932, CVE-2026-9079, CVE-2026-10536 Jul 16, 2026
@Kanishk-Bansal Kanishk-Bansal changed the title Upgrade curl to 8.21.0 for CVEs: CVE-2026-12064, CVE-2026-8286, CVE-2026-8458, CVE-2026-8926, CVE-2026-8927, CVE-2026-8932, CVE-2026-9079, CVE-2026-10536 Upgrade curl to 8.21.0 Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant